%3CLINGO-SUB%20id%3D%22lingo-sub-1220336%22%20slang%3D%22en-US%22%3EValidating%20Azure%20Key%20Vault%20Threat%20Detection%20in%20Azure%20Security%20Center%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1220336%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20Security%20Center%20includes%20advanced%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fthreat-protection%23threat-protection-for-azure-key-vault-preview%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ethreat%20protection%20for%20Azure%20Key%20Vault%3C%2FA%3E.%20Security%20Center%20detects%20unusual%20and%20potentially%20harmful%20attempts%20to%20access%20or%20exploit%20Key%20Vault%20accounts%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ebased%20on%20behavior%20analysis%20using%20machine%20learning%3C%2FFONT%3E.%20To%20use%20this%20threat%20detection%20capability%2C%20you%20need%20to%20enable%20the%20Key%20Vault%20threat%20bundle%20in%20Azure%20Security%20Center%20pricing%20tier%20as%20shown%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig0.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176208i3A820E588C5E3A67%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig0.JPG%22%20alt%3D%22Fig0.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20validation%20steps%20that%20follows%20are%20going%20to%20help%20you%20to%20simulate%20an%20action%20that%20will%20trigger%20an%20alert%20in%20Azure%20Security%20Center.%20This%20action%20may%20be%20benign%20in%20some%20cases%2C%20but%20it%20could%20also%20indicate%20that%20the%20Key%20Vault%20has%20been%20accessed%20by%20someone%20using%20the%20TOR%20IP%20anonymization%20system%20to%20hide%20their%20true%20source%20location.%20Follow%20the%20steps%20below%20to%20perform%20this%20simulation%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20If%20you%20don%E2%80%99t%20have%20a%20Key%20Vault%20created%20yet%2C%20make%20sure%20to%20create%20one%20following%20the%20steps%20from%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkey-vault%2Fquick-create-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E2.%20After%20finishing%20creating%20the%20Key%20Vault%20and%20the%20secret%2C%20go%20to%20a%20VM%20that%20has%20Internet%20access%20and%20download%20TOR%20Browser%20from%20%3CA%20href%3D%22https%3A%2F%2Fwww.torproject.org%2Fdownload%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E3.%20Install%20TOR%20Browser%20on%20your%20VM%3C%2FP%3E%0A%3CP%3E4.%20Once%20you%20finished%20the%20installation%2C%20open%20your%20regular%20browser%2C%20logon%20to%20the%20Azure%20Portal%2C%20and%20access%20the%20Key%20Vault%20page.%20Select%20the%20URL%20highlighted%20below%20and%20copy%20the%20address%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig3_2.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176210i3797170A498B50D1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig3_2.JPG%22%20alt%3D%22Fig3_2.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E5.%20Open%20TOR%20and%20paste%20this%20URL%20(you%20will%20need%20to%20authenticate%20again%20to%20access%20the%20Azure%20Portal).%20%3CBR%20%2F%3E6.%20After%20finishing%20access%2C%20you%20can%20also%20click%20in%20%3CEM%3ESecrets%3C%2FEM%3E%20option%20in%20the%20left%20pane.%20%3CBR%20%2F%3E7.%20In%20the%20TOR%20Browser%2C%20sign%20out%20from%20Azure%20Portal%20and%20close%20the%20browser.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20some%20time%2C%20Security%20Center%20will%20trigger%20an%20alert%20with%20detailed%20information%20about%20this%20suspicious%20activity%2C%20as%20shown%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Fig4.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176212iBB1895C751488C6E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Fig4.JPG%22%20alt%3D%22Fig4.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20a%20complete%20list%20of%20potential%20alerts%20that%20could%20be%20triggered%20by%20Azure%20Key%20Vault%20threat%20detection%20in%20Azure%20Security%20Center%2C%20access%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Falerts-reference%23alerts-azurekv%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ereference%20guide%20for%20alerts%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ESpecial%20thanks%20to%20the%20reviewers%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ESharon%20Xia%2C%20Principal%20PM%20and%20%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EWalner%20Dort%2C%20PM%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Azure Security Center includes advanced threat protection for Azure Key Vault. Security Center detects unusual and potentially harmful attempts to access or exploit Key Vault accounts based on behavior analysis using machine learning. To use this threat detection capability, you need to enable the Key Vault threat bundle in Azure Security Center pricing tier as shown below:

 

Fig0.JPG

 

The validation steps that follows are going to help you to simulate an action that will trigger an alert in Azure Security Center. This action may be benign in some cases, but it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. Follow the steps below to perform this simulation:

 

1. If you don’t have a Key Vault created yet, make sure to create one following the steps from this article.

2. After finishing creating the Key Vault and the secret, go to a VM that has Internet access and download TOR Browser from here.

3. Install TOR Browser on your VM

4. Once you finished the installation, open your regular browser, logon to the Azure Portal, and access the Key Vault page. Select the URL highlighted below and copy the address:

 

Fig3_2.JPG

 

5. Open TOR and paste this URL (you will need to authenticate again to access the Azure Portal).
6. After finishing access, you can also click in Secrets option in the left pane.
7. In the TOR Browser, sign out from Azure Portal and close the browser.

 

After some time, Security Center will trigger an alert with detailed information about this suspicious activity, as shown below:

 

Fig4.JPG

 

For a complete list of potential alerts that could be triggered by Azure Key Vault threat detection in Azure Security Center, access this reference guide for alerts.

 

Special thanks to the reviewers:

Sharon Xia, Principal PM and

Walner Dort, PM